RIPE: Runtime Intrusion Prevention Evaluator

850 buffer overflow attack forms.

RIPE 1 extends 2003 NDSS 2 paper from 20 attack forms to 850 attack forms.

Dimensions

Location of the buffer in memory, target code pointer, overflow technique,

D1: Location

  • Stack
  • Heap
  • BSS segment
  • Data segment

D2: Target Code Pointer

  • Return address
  • Old base pointer: The previous contents of the EBP register, which is used to reference functin arguments and local variables
  • Functino pointers: Generic function pointers allowing programmers to dymanically call different functions from the same code
  • Longjmp buffers: Setjmp/longjmp is a technique which allows programmers to easily jump back to a predefined point in their code.
  • Vulnerale Structs: Structs which group a buffer and a function pointer and can be abused by attackers to overflow from one to the other.

D3: Overflow Technique

  • Direct overflow: target is adjacent to the overflowed buffer, or can be reached by sequentially overflowing from the buffer.
  • Idirect overflow: use generic pointers to store target address, and overwrite the target with attack-controlled data. Such as ones used to bypass StackGuard canary.

D4: Attack Code

  • Shellcode without NOP sled: This option can be useful in testing the accuracy of attacks as well as challenge countermeasures that rely on the detection of specific code patterns (such as the presence of a set of 0x90 bytes (NOP)) in the process’ address space.
  • Shellcode with NOP sled: This is the most-used form of shell code that prepends the attacker’s functionality with a set of NO-oPeration instructions to improve the attacker’s chances of correctly redirecting the execution-flow of the program into his injected code.
  • Shellcode with polymorphic NOP sled: In this case, the NOP sled is not the standard set of 0x90 bytes but a set of instructions that can be executed without affecing the correctness of the actual attack code. Akritidis et al. 3 conducted a study where, among others, they showed how obfuscation and encryption can be used by attackers to evade Network Intrusion Detection Systems (NIDS).
  • Return-into-libc: e.g. using the system libc function to execute an interactive shell. RIPE uses system() for the spawning of an interactive shell and creat() for creating new files.
  • ROP: ROP is the generalization of Return-into-libc, where chunks of functionality from existing code (gadgets) and combine them to create new functionality. RIPE implements a ROP attack, but does not implement stack-pivoting techniques.

D5: (n-contain) function Abused

A user can choose to perform mthe buffer overflow with memcpy(), strncpy(), sprintf(), snprintf(), strcat(), strncat(), sscanf(), fscanf(), and also with “homebrew”, a loop-based equivalent of memcpy.

n-containing functions are designed to take the target buffer size into account which should prevent buffer overflows. The size however, is provided by the developer (static or calculated) and thus a miscalculation can cancel-out the protection offered by these functions.

Known caveats include the fact that parameter n means total buffer size for strncpy() but remaining buffer space for strncat()4, and if n is undefined for instance because of a NULL value in the length caculation strncpy() will allow for buffer overflow as shown in CVE-2009-40355:

line1 = getNext(line); // May return NULL
if ((n=line1 -line) > 255) {
    n = 255;
}
strncpy(buf, line, n); // n undef or < 0
  1. RIPE: Runtime Intrusion Prevention Evaluator. ACSAC, 2011. ↩
  2. A comparative study of publicly available tools for dynamic buffer overflow prevention. NDSS, 2003. ↩
  3. Akritidis et al. Stride: Polymorphic sled detection through instruction sequence analysis. 2005. ↩
  4. Howard, M. Evils of strncat and strncpy - Answers. http://blogs.msdn.com/b/michael_howard/archive/2004/12/10/279639.aspx ↩
  5. CVE-2009-4035 [22] ↩
Created Jul 23, 2019 // Last Updated Jan 14, 2020

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?